For Help Getting Started, Visit

IPSEC FOR LARGE SCALE DEPLOYMENTS

DevConf, Brno, January 2020

Presented by Paul Wouters, VPN Technologies THE LIBRESWAN PROJECT An Internet Key Exchange (“IKE”) daemon for IPsec

• Continuation of openswan, which itself was a fork of freeswan • Uses the NSS library for all its crypto • Certified (FIPS, Common Criteria, USGv6, etc.) • Supports X.509 and DNSSEC as PKI • Supports raw public keys and PSK • Supports IKEv1 and IKEv2

2 IPsec for large scale deployments IPsec PRIMER IKE + IPsec = VPN

IKE (USERLAND) IPsec (KERNEL) ISAKMP, IKE SA, PHASE 1 IPsec SA, CHILD SA, PHASE 2 UDP PORT 500 AND 4500 PROTOCOL 50 (ESP) AND 51 (AH)

• Command Channel • Data Channel • Peer authentication • Encapsulated Security Payload • Connection parameter negotiation (ESP) IP packet encryption • IPsec symmetric key generation • Authenticated Header (AH) • Communicates to kernel • ESPinUDP (for NAT)

• IKE itself is encrypted • Tunnel Mode (IP in IP) • IKE does not encrypt the IP traffic • Transport Mode

3 IPsec for large scale deployments LINUX IPsec IMPLEMENTATION (XFRM) 1. IPsec in the kernel has policies (SPD) and states (SAD)  Visible via: ip xfrm policy, ip xfrm state  Communication between userland and kernel visible via: ip xfrm monitor • Packets matching policies with a linked state causes encryption/decryption • Unencrypted packets matching an encryption policy without state are dropped • First outgoing plaintext packet matching IPsec policy without IPsec state triggers an ACQUIRE 2. Userland inserts “trap” policies for on-demand tunnels 3. Userland requests to receive ACQUIREs and processes these when received • Perform IKE negotiation with remote peer • Send IPsec policy and encryption/authentication keys to the kernel 4. Kernel processes netlink messages • Install received crypto keys in state, link crypto state to policy • If TCP was stored, send out cached TCP packet

4 IPsec for large scale deployments LINUX IPsec IMPLEMENTATION (XFRM) Mobile IKE: Support for mobile clients that change IP address 1. Libreswan receives an IKE message from a new IP address 2. Matches the encrypted IKE packet via SPI’s to an existing peer 3. Decrypts and confirms this IKE packet is a new packet (via sequence number) 4. Send XFRM_MIGRATE message to kernel 5. Kernel updates endpoint IP of the XFRM state 6. Libreswan confirms via a reply IKE message using the new destination IP address

5 IPsec for large scale deployments LINUX XFRM / NETKEY KERNEL STATE srcsrc 10.3.230.191/3210.3.230.191/32 dstdst 0.0.0.0/00.0.0.0/0 dirdir outout prioritypriority 666666 ptypeptype mainmain tmpltmpl srcsrc 76.10.157.6876.10.157.68 dstdst 209.132.183.55209.132.183.55 protoproto espesp reqidreqid 1641316413 modemode tunneltunnel srcsrc 0.0.0.0/00.0.0.0/0 dstdst 10.3.230.191/3210.3.230.191/32 dirdir fwdfwd prioritypriority 666666 ptypeptype mainmain tmpltmpl srcsrc 209.132.183.55209.132.183.55 dstdst 76.10.157.6876.10.157.68 protoproto espesp reqidreqid 1641316413 modemode tunneltunnel srcsrc 0.0.0.0/00.0.0.0/0 dstdst 10.3.230.191/3210.3.230.191/32 dirdir inin prioritypriority 666666 ptypeptype mainmain tmpltmpl srcsrc 209.132.183.55209.132.183.55 dstdst 76.10.157.6876.10.157.68 protoproto espesp reqidreqid 1641316413 modemode tunneltunnel

srcsrc 209.132.183.55209.132.183.55 dstdst 76.10.157.6876.10.157.68 protoproto espesp spispi 0x605ad2be0x605ad2be reqidreqid 1641316413 modemode tunneltunnel auth-truncauth-trunc hmac(sha1)hmac(sha1) 0x4b7e46cdee9c27588a1a75f6846073cea0x4b7e46cdee9c27588a1a75f6846073cea 9696 encenc cbc(aes)cbc(aes) 0x11ddc9080945111087e81f9ebda5aacb7612c78af18950x11ddc9080945111087e81f9ebda5aacb7612c78af1895 srcsrc 76.10.157.6876.10.157.68 dstdst 209.132.183.55209.132.183.55 protoproto espesp spispi 0x8ca00de30x8ca00de3 reqidreqid 1641316413 modemode tunneltunnel auth-truncauth-trunc hmac(sha1)hmac(sha1) 0x1119585d334a88e023134a100eca6b09f0x1119585d334a88e023134a100eca6b09f 9696 encenc cbc(aes)cbc(aes) 0x310b852b9cbaf2cace7979c1aeb5df4b32eb418c5c3000x310b852b9cbaf2cace7979c1aeb5df4b32eb418c5c300

6 IPsec for large scale deployments

2019: Libreswan

• RFC 8229 “TCP Encapsulation of IKE and IPsec packets” support [*] • Proof of concept for per-cpu IPsec SA support (pCPU XFRM) • XFRMi virtual interface support to replace VTI virtual interfaces • libvirt/KVM based testing complimented with namespace based testing  Much faster, takes less resources, can run tests in parallel • NSS: Use the new “IPsec profile” X.509 validation (RFC 4945) • Dramatically improve IKE performance by offloading more code to threads • NSS: Cache decrypted private keys (Bob’s performance trick) • RFC 5685 IKEv2 REDIRECT support for dynamic load balancing • CVE-2019-12312 (crasher) and CVE-2019-10155 (sig validation failure) • Improvements for Enterprise-wise (mesh) encryption

8 IPsec for large scale deployments XFRMi virtual interface

• Specify: ipsec-device= will create device ipsecN • tcpdump on ethX shows encrypted packets, on ipsecN shows plaintext • Can be managed by the system (eg NetworkManager) or by libreswan • Allow for routing based VPNs – if packet enters device, encrypt it • Uses XFRM IF_ID (new IPsec policy parameter) and does not require MARKing • Can be placed in a network namespace to enforce VPN-only access • Some support in NetworkManager and systemd

• Older VTI (ip_vti0) implementation had limitations:  Each IPsec SA needed its own VTI interface and could only be ipv4 or ipv6  There could only be one wildcard interface (max 1 dynamic IP remote client)  VTI Only supported Tunnel Mode, not Transport Mode  Used GRE keys and MARKs

9 IPsec for large scale deployments TCP support for Remote Access VPN

• IPsec (ESP) is usually encapsulated in UDP to traverse NATs • IKE protocol uses UDP • Some networks block IPsec (or all UDP except DNS)

• RFC 8229: TCP encapsulation of IKE and ESP  Port number not defined (evasive actions)  “IKETCP” prefix to support demultiplexing (aka IPsec-in-TLS support)

• New per connection options:  tcp-listen=  tcp-remoteport=  tcponly=yes|no

10 IPsec for large scale deployments Per-CPU support for high speed IPsec SAs

• Proof of Concept for per-cpu IPsec SA support (pCPU XFRM) • Currently, 1 IPsec SA can only use 1 CPU (about 1-5 gbps) • With pCPU, create cpu times identical IPsec SA’s  One IPsec SA is the main (catch all) IPsec SA  Further identical IPsec SA’s are installed for a specific CPU • Processes generating traffic on one CPU, use the one IPsec SA  Reduces out-of-order packets if multiple processes are sending data • lab result show CPU combined speed (eg 3 CPU * 1gbps/cpu results in 3gbps) • TODO: per-cpu “fake” ACQUIRE messages for per-CPU on-demand support • TODO: support for on-demand QoS IPsec SA’s • See libreswan.org/wiki/XFRM_pCPU for kernel and libreswan code and docs  clones=

11 IPsec for large scale deployments Libreswan testing

• KVM/libvirt testing - 700+ tests • libreswan.org/wiki/Test_Suite_-_KVM • Took between 4 and 8 hours to run – reduced to 2-3 hours • Would regularly hang KVM instances • Tests cannot run in parallel

• Introduced namespaces based testing • libreswan.org/wiki/Test_Suite_-_Namespace • Re-uses KVM/libvirt tests, so most of the 700+ tests are functional • Tests can be started in parallel (but sadly not too many still)

12 IPsec for large scale deployments TESTING.LIBRESWAN.ORG

13 IPsec for large scale deployments IPsec deployment types

• Host to host VPN • Site to site VPN • Remote Access VPN • Enterprise wide encryption (mesh encryption) • Internet wide Opportunistic Encryption (try IPsec, fallback to clear)

14 IPsec for large scale deployments Host to host example configuration Using self-signed or CA based certificates:

## installinstall localcertificate:localcertificate: ipsecipsec importimport MyName.example.com.p12MyName.example.com.p12 ## ConventionConvention used:used: leftleft meansmeans local,local, rightright meansmeans remoteremote ## /etc/ipsec.d/host-to-host.conf/etc/ipsec.d/host-to-host.conf ## bringbring upup manuallymanually using:using: ipsecipsec autoauto –up–up host-to-hosthost-to-host

connconn host-to-hosthost-to-host left=192.1.2.23left=192.1.2.23 [email protected][email protected] ## ourour certificatecertificate leftcert=MyName.example.comleftcert=MyName.example.com right=192.1.2.45right=192.1.2.45 [email protected][email protected] ## IDID mustmust bebe SubjectAltNameSubjectAltName onon certcert ## theirtheir certificatecertificate transmittedtransmitted viavia IKEIKE auto=ondemandauto=ondemand

15 IPsec for large scale deployments Net to Net example configuration Using self-signed or CA based certificates:

## installinstall localcertificate:localcertificate: ipsecipsec importimport MyName.example.com.p12MyName.example.com.p12 ## ConventionConvention used:used: leftleft meansmeans local,local, rightright meansmeans remoteremote ## /etc/ipsec.d/net-to-net.conf/etc/ipsec.d/net-to-net.conf ## bringbring upup manuallymanually using:using: ipsecipsec autoauto –up–up net-to-netnet-to-net

connconn net-to-netnet-to-net left=192.1.2.23left=192.1.2.23 leftsubnet=192.0.1.0/24leftsubnet=192.0.1.0/24 [email protected][email protected] ## ourour certificatecertificate leftcert=MyName.example.comleftcert=MyName.example.com right=192.1.2.45right=192.1.2.45 rightsubnets={192.0.2.0/24,rightsubnets={192.0.2.0/24, 192.168.0.0/16}192.168.0.0/16} [email protected][email protected] ## IDID mustmust bebe SubjectAltNameSubjectAltName onon certcert ## theirtheir certificatecertificate transmittedtransmitted viavia IKEIKE auto=ondemandauto=ondemand

16 IPsec for large scale deployments Remote Access Server configuration Using CA based certificates:

## /etc/ipsec.d/vpnserver.conf/etc/ipsec.d/vpnserver.conf

connconn vpnservervpnserver left=193.110.157.148left=193.110.157.148 leftcert=vpn.nohats.caleftcert=vpn.nohats.ca [email protected][email protected] ## forfor split-VPN,split-VPN, specifyspecify youryour server’sserver’s subnetsubnet insteadinstead ofof 0/00/0 leftsubnet=0.0.0.0/0leftsubnet=0.0.0.0/0 rightaddresspool=100.64.13.2-100.64.13.254rightaddresspool=100.64.13.2-100.64.13.254 right=%anyright=%any rightid=%fromcertrightid=%fromcert ## serverserver optionsoptions auto=addauto=add rekey=norekey=no modecfgdns=8.8.8.8modecfgdns=8.8.8.8 modecfgpull=yesmodecfgpull=yes dpddelay=9mdpddelay=9m dpdtimeout=30mdpdtimeout=30m dpdaction=cleardpdaction=clear mobike=yesmobike=yes ipsec-interface=yesipsec-interface=yes 17 IPsec for large scale deployments Remote Access Client configuration Using CA based certificates:

## ImportImport mymy PKCS#12PKCS#12 cert:cert: ipsecipsec importimport letoams.nohats.ca.p12letoams.nohats.ca.p12 ## /etc/ipsec.d/corporate.conf/etc/ipsec.d/corporate.conf

connconn corporate-vpncorporate-vpn left=%defaultrouteleft=%defaultroute leftcert=letoams.nohats.caleftcert=letoams.nohats.ca leftsubnet=0.0.0.0/0leftsubnet=0.0.0.0/0 leftmodecfgclient=yesleftmodecfgclient=yes right=vpn.nohats.caright=vpn.nohats.ca rightsubnet=0.0.0.0/0rightsubnet=0.0.0.0/0 [email protected][email protected] narrowing=yesnarrowing=yes rekey=yesrekey=yes mobike=yesmobike=yes

18 IPsec for large scale deployments Remote Access Client configuration Using CA based certificates:

$$ sudosudo ipsecipsec autoauto --up--up vpn.nohats.cavpn.nohats.ca 181181 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #1:#1: initiatinginitiating IKEv2IKEv2 IKEIKE SASA 181181 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #1:#1: STATE_PARENT_I1:STATE_PARENT_I1: sentsent v2I1,v2I1, expectedexpected v2R1v2R1 182182 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: STATE_PARENT_I2:STATE_PARENT_I2: sentsent v2I2,v2I2, expectedexpected v2R2v2R2 {auth=IKEv2{auth=IKEv2 cipher=AES_GCM_16_256cipher=AES_GCM_16_256 integ=n/ainteg=n/a prf=HMAC_SHA2_512prf=HMAC_SHA2_512 group=MODP2048}group=MODP2048} 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: certificatecertificate verifiedverified OKOK [email protected],CN=vpn.nohats.ca,OU=Clients,[email protected],CN=vpn.nohats.ca,OU=Clients,O=No HatsHats Corporation,L=Ottawa,ST=Ontario,C=CACorporation,L=Ottawa,ST=Ontario,C=CA 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: IKEv2IKEv2 modemode peerpeer IDID isis ID_FQDN:ID_FQDN: '@vpn.nohats.ca''@vpn.nohats.ca' 003003 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: AuthenticatedAuthenticated usingusing RSARSA withwith IKEv2_AUTH_HASH_SHA2_512IKEv2_AUTH_HASH_SHA2_512 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: receivedreceived INTERNAL_IP4_ADDRESSINTERNAL_IP4_ADDRESS 100.64.13.3100.64.13.3 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: receivedreceived INTERNAL_IP4_DNSINTERNAL_IP4_DNS 193.110.157.148193.110.157.148 005005 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: ReceivedReceived INTERNAL_DNS_DOMAIN:INTERNAL_DNS_DOMAIN: nohats.canohats.ca 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: up-clientup-client output:output: updatingupdating resolvconfresolvconf 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: negotiatednegotiated connectionconnection [100.64.13.3-100.64.13.3:0-65535[100.64.13.3-100.64.13.3:0-65535 0]0] ->-> [0.0.0.0-255.255.255.255:0-65535[0.0.0.0-255.255.255.255:0-65535 0]0] 004004 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: STATE_V2_IPSEC_I:STATE_V2_IPSEC_I: IPsecIPsec SASA establishedestablished tunneltunnel modemode {ESP/NAT=>0x0bb71fd2{ESP/NAT=>0x0bb71fd2 <0x899a9f05<0x899a9f05 xfrm=AES_GCM_16_256-NONExfrm=AES_GCM_16_256-NONE NATOA=noneNATOA=none NATD=193.110.157.148:4500NATD=193.110.157.148:4500 DPD=passive}DPD=passive}

19 IPsec for large scale deployments Remote Access Client NetworkManager plugin networkmanager-libreswan

20 IPsec for large scale deployments Remote Access Server Web interface Preview: github.com/Rishabh04-02/Libreswan-managing-interface

21 IPsec for large scale deployments Remote Access Server interface

• Setup a Certificate Agency CA) • Setup the VPN server (TLS and IPsec) • Generate client certificates (PKCS#12) for download • Generate iOS/OSX VPN profiles (1 click install) • Traffic Accounting of clients • Temporarily and permanently Revoke client certificates

22 IPsec for large scale deployments Enterprise wide (mesh) encryption

• Each node attempts on-demand (opportunistic) IPsec to each other node • A node policy can be REQUIRE, OPTIONAL, or NO encryption using IPsec • Nodes should be able to list policies based on IP ranges and/or ports • Exceptions should be allowed for specific nodes • Added a new node should not require any reconfiguration on existing nodes • Idle IPsec connections should be removed over time • Currently support X.509 and DNSSEC as PKI for authenticating nodes

• WARNING: Your network based firewalls and IDS are bypassed!

23 IPsec for large scale deployments Enterprise wide (mesh) encryption Group policy files in /etc/ipsec.d/policies/* list network CIDRs andports

/etc/ipsec.d/policies/clear/etc/ipsec.d/policies/clear -- OnlyOnly allowallow cleartextcleartext /etc/ipsec.d/policies/clear-or-private/etc/ipsec.d/policies/clear-or-private -- DefaultDefault clear,clear, allowallow IPsecIPsec /etc/ipsec.d/policies/private/etc/ipsec.d/policies/private -- RequireRequire IPsecIPsec /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear -- IPsec,IPsec, fallbackfallback toto clearclear

## /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear 193.110.157.0/24193.110.157.0/24 193.111.228.0/24193.111.228.0/24

## /etc/ipsec.d/policies/private/etc/ipsec.d/policies/private 10.0.0.0/810.0.0.0/8 192.168.0.0/16192.168.0.0/16

## /etc/ipsec.d/policies/clear/etc/ipsec.d/policies/clear 193.110.157.0/24:22193.110.157.0/24:22 ## sshssh 193.110.157.0/24:443193.110.157.0/24:443 ## httpshttps

24 IPsec for large scale deployments Enterprise wide (mesh) encryption Policy files are implemented using “regular” connection definitions

## installinstall localcertificate:localcertificate: ipsecipsec importimport node1.example.com.p12node1.example.com.p12 ## /etc/ipsec.d/private.conf/etc/ipsec.d/private.conf

connconn privateprivate left=%defaultrouteleft=%defaultroute leftid=%fromcertleftid=%fromcert ## ourour certificatecertificate leftcert=node1.example.comleftcert=node1.example.com right=%opportunisticgroupright=%opportunisticgroup rightid=%fromcertrightid=%fromcert failureshunt=dropfailureshunt=drop negotiationshunt=holdnegotiationshunt=hold auto=ondemandauto=ondemand

25 IPsec for large scale deployments Enterprise wide (mesh) encryption Configuration for IPsec with fallback to cleartext

## installinstall localcertificate:localcertificate: ipsecipsec importimport node1.example.com.p12node1.example.com.p12 ## /etc/ipsec.d/private-or-clear.conf/etc/ipsec.d/private-or-clear.conf

connconn private-or-clearprivate-or-clear left=%defaultrouteleft=%defaultroute leftid=%fromcertleftid=%fromcert ## ourour certificatecertificate leftcert=node1.example.comleftcert=node1.example.com right=%opportunisticgroupright=%opportunisticgroup rightid=%fromcertrightid=%fromcert failureshunt=passthroughfailureshunt=passthrough negotiationshunt=passthroughnegotiationshunt=passthrough ## toto notnot leakleak cleartextcleartext duringduring IKEIKE negotiation:negotiation: ## negotiationshunt=holdnegotiationshunt=hold auto=ondemandauto=ondemand

26 IPsec for large scale deployments Enterprise wide (mesh) encryption Configuration for preferring plaintext but accepting IPsec if requested

## installinstall localcertificate:localcertificate: ipsecipsec importimport node1.example.com.p12node1.example.com.p12 ## /etc/ipsec.d/clear-or-private.conf/etc/ipsec.d/clear-or-private.conf

connconn clear-or-privateclear-or-private left=%defaultrouteleft=%defaultroute leftid=%fromcertleftid=%fromcert ## ourour certificatecertificate leftcert=node1.example.comleftcert=node1.example.com right=%opportunisticgroupright=%opportunisticgroup rightid=%fromcertrightid=%fromcert failureshunt=passthroughfailureshunt=passthrough negotiationshunt=passthroughnegotiationshunt=passthrough ## toto notnot leakleak cleartextcleartext duringduring IKEIKE negotiation:negotiation: ## negotiationshunt=holdnegotiationshunt=hold ## don’tdon’t initiate,initiate, butbut allowallow respondingresponding auto=addauto=add

27 IPsec for large scale deployments Recap: Enterprise wide (mesh) encryption

• Create policy connections in /etc/ipsec.d/*.conf for IPsec policy groups • Place IP address/port ranges in /etc/ipsec.d/policues/* • Import host PKCS#12 certificate into libreswan • Start the IPsec service • Profit!

• Check encryption ● ipsec trafficstatus ● ipsec status ● ipsec shuntstatus (for remote peers we tried and failed IPsec to)

28 IPsec for large scale deployments Internet wide mesh encryption using LetsEncrypt (Requires libreswan 3.30, uses NAT-within-IPsec)

## setupsetup onon laptoplaptop ## (host(host initiatedinitiated asas anonymous,anonymous, authenticatesauthenticates remoteremote server)server) $$ sudosudo ipsecipsec letsencryptletsencrypt --client--client ## echoecho “193.110.157.131/32”“193.110.157.131/32” >>>> /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear ## echoecho “0.0.0.0/0”“0.0.0.0/0” >>>> /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear

## SetupSetup onon server:server: ## (host(host authenticatesauthenticates itselfitself viavia FQDNFQDN (eg(eg letsencrypt.nohats.ca)letsencrypt.nohats.ca) $$ sudosudo ipsecipsec letsencryptletsencrypt --server--server ## (create(create aa letsencryptletsencrypt certificatecertificate forfor IPsec)IPsec) $$ sudosudo ipsecipsec letsencryptletsencrypt --generate-certificate--generate-certificate my.example.commy.example.com

29 IPsec for large scale deployments LETSENCRYPT CLIENT FOR IPSEC Anonymous client to authenticated server

$$ pingping letsencrypt.libreswan.orgletsencrypt.libreswan.org PINGPING letsencrypt.libreswan.orgletsencrypt.libreswan.org (193.110.157.131)(193.110.157.131) 56(84)56(84) bytesbytes ofof data.data. 6464 bytesbytes fromfrom letsencrypt.libreswan.orgletsencrypt.libreswan.org (193.110.157.131):(193.110.157.131): icmp_seq=2icmp_seq=2 ttl=64ttl=64 time=96.2time=96.2 msms 6464 bytesbytes fromfrom letsencrypt.libreswan.orgletsencrypt.libreswan.org (193.110.157.131):(193.110.157.131): icmp_seq=3icmp_seq=3 ttl=64ttl=64 time=96.7time=96.7 msms

ipsecipsec whackwhack --trafficstatus--trafficstatus 006006 #2:#2: "private-or-clear#193.110.157.131/32"[1]"private-or-clear#193.110.157.131/32"[1] 100.64.0.2/32===100.64.0.2/32=== ...193.110.157.131,...193.110.157.131, type=ESP,type=ESP, add_time=1471926595,add_time=1471926595, inBytes=252,inBytes=252, outBytes=252,outBytes=252, id='CN=letsencrypt.libreswan.org',id='CN=letsencrypt.libreswan.org', lease=100.64.0.2/32lease=100.64.0.2/32

30 IPsec for large scale deployments DRAFT-ANTONY-IPSECME-OPPO-NAT Eliminating the IP address conflicts caused by NAT 193.110.15.131193.110.15.131 RemoteRemote OpportunisticOpportunistic IPsecIPsec serverserver 192.168.2.45192.168.2.45 OpportunisticOpportunistic ClientClient pre-NATpre-NAT IPIP addressaddress 100.64.0.2100.64.0.2 IPIP addressaddress fromfrom IPsecIPsec serverserver addressaddress poolpool ## ipip xfrmxfrm polpol srcsrc 100.64.0.2/32100.64.0.2/32 dstdst 193.110.157.131/32193.110.157.131/32 dirdir outout prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 192.1.2.45192.1.2.45 dstdst 193.110.157.131193.110.157.131 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel srcsrc 193.110.157.131/32193.110.157.131/32 dstdst 100.64.0.2/32100.64.0.2/32 dirdir fwdfwd prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 193.110.157.131193.110.157.131 dstdst 192.1.2.45192.1.2.45 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel srcsrc 193.110.157.131/32193.110.157.131/32 dstdst 100.64.0.2/32100.64.0.2/32 dirdir inin prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 193.110.157.131193.110.157.131 dstdst 192.1.2.45192.1.2.45 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel srcsrc 192.168.2.45/32192.168.2.45/32 dstdst 193.110.157.131/32193.110.157.131/32 dirdir outout prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 192.1.2.45192.1.2.45 dstdst 193.110.157.131193.110.157.131 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel

31 IPsec for large scale deployments DRAFT-ANTONY-IPSECME-OPPO-NAT Eliminating the IP address conflicts caused by NAT

193.110.15.131193.110.15.131 RemoteRemote OpportunisticOpportunistic IPsecIPsec serverserver 192.168.2.45192.168.2.45 OpportunisticOpportunistic ClientClient pre-NATpre-NAT IPIP addressaddress 100.64.0.1100.64.0.1 ClientClient IPIP addressaddress assignedassigned yy OpportunisticOpportunistic IpsecIpsec serverserver

## iptablesiptables -t-t natnat -L-L -n-n

ChainChain PREROUTINGPREROUTING (policy(policy ACCEPT)ACCEPT) targettarget protprot optopt sourcesource destinationdestination DNATDNAT allall ---- 193.110.157.131193.110.157.131 100.64.0.1100.64.0.1 \\ policypolicy matchmatch dirdir inin polpol ipsecipsec to:192.168.2.45to:192.168.2.45

ChainChain POSTROUTINGPOSTROUTING (policy(policy ACCEPT)ACCEPT) targettarget protprot optopt sourcesource destinationdestination SNATSNAT allall ---- 0.0.0.0/00.0.0.0/0 193.110.157.131193.110.157.131 \\ policypolicy matchmatch dirdir outout polpol ipsecipsec to:100.64.0.1to:100.64.0.1

Basically:Basically: NATNAT withinwithin thethe IPsecIPsec subsystemsubsystem

32 IPsec for large scale deployments QUESTIONS & ANSWERS

33 IPsec for large scale deployments